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Abstract — The average conditional entropy of the key given 
the message and its corresponding cryptogram, £f(K|M, C), 
which is reffer as a key appearance equivocation, was proposed 
as a theoretical measure of the strength of the cipher system 
under a known-plaintext attack by Dunham in 1980. In the 
same work (among other things), lower and upper bounds 
for H(Sm |M l C l ) are found and its asymptotic behaviour 
as a function of cryptogram length L is described for simple 
substitution ciphers i.e. when the key space Sm is the symmetric 
group acting on a discrete alphabet M. In the present paper we 
consider the same problem when the key space is an arbitrary 
subgroup K. < Sm and generalize Dunham's result. 
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I. Introduction 

Shannon in his seminal paper [2] showed that the condi- 
tional entropies of the key and message given the cryptogram 
can be used as a theoretical measure of strength of the cipher 
system when assuming unlimited cryptanalytic computational 
capabilities. These conditional entropies are called the key and 
message equivocation, respectively. 

In general it is diffucult to calculate these equivocations 
explicitly. For that Shannon established in [2] a general 
lower bound and introduced a random cipher model which 
would approximate the behaviour of complex practical ciphers. 
Afterward, Hellman [3] reviewed and extended Shannon's 
information-theoretic approach and showed that random cipher 
model is conservative in that a randomly chosen cipher is 
essentially the worst possible. Later on Blom [4] obtained 
exponentially tight bounds on the key equivocation for simple 
substitution ciphers. In [1] to derive bounds for simple substi- 
tution ciphers on the message equivocation in terms of the key 
equivocation, Dunham derived such bounds for so-called key 
appearance equivocation. This author pointed out also, that 
it can be considered as a theoretical measure of the strength 
of the cipher system under known-plaintext attack. Another 
contribution of this subject is the Sgarro's work [5], 

In Section II we give the necessary background and state 
a theorem which gives the bounds on the key appearance 
equivocation for substitution ciphers when the key space is 
confined to a subgroup JC of the group Sm of all substitutions 
of a discrete alphabet Ai. In Section III we discuss four 
applications of the stated theorem in some particular cases. 
Finally, we conclude in Section IV. 
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II. Lower and Upper Bounds for the Key 
Appearance Equivocation 

For basic definitions and notions we reffer to [2],[1] and 
[6]. Let a memoryless message source with a discrete finite 
alphabet M. = {1,2,..., N} be given. The probability of a 
symbol n is denoted by Pm{ti). The cryptogram alphabet C 
is taken to be the same as M, and the key space is JC < Sm 
- an arbitrary subgroup of the the symmetric group acting on 
M.. For every n E JC the cryptographic transformation T„ : 
A4 L — > M. L is determined in the following way: If m L = 
TO1TO2 . . . nii is a message of length L, then the cryptogram is 
c L = T 7r (m i ) = £ 7r(r7ii)7r(m2) . . . 7r(mz,). We assume also 
that the key and message sources are independent, and the 
keys are equiprobable, i.e. Pk,{^) = 1 / [/CT| . 

We make use of the following lemma: 

Lemma 2.1: Let G be a group of substitutions of the finite 
set X. If the set G(i,j) = {it 6 G/w(i) = j}, where i and j 
are some fixed elements of X, is nonempty, then it is a left 

def 

coset by the stabilizer St(i) = {r e G/t(i) = i}. 

Proof: Obviously, if ir(i) G G(i,j) then for any a £ 
St(i) we have 7roa(i) = tt(i) = j. Conversely, if = j and 
t(z) = j then ir^ 1 or(i) = n (J) = i hence ir^ 1 or € St(i). 

■ 

In order to state the main theorem we need the following 
definitions: 

Definition 2.2: The set F(ir) = {j/itij) = j} is called 
a fixed set of it € /C. 

Let us denote by IC* the set of all substitutions in JC 
excluding the identity. 

Definition 2.3: The key n e IC* is called maximal when 
its fixed set F(jf) is maximal in sense of inclusion among the 
sets F(t), t e ft*. 

We will denote by /C max the set of all maximal keys and for 
any n £ /C max by P n the sum of probablities J2jeF{n) P M {])■ 

For completeness of exposition we recall the defintion of 
key appearance equivocation: 

Definition 2.4: 
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H(K\m L c L ) d ^ 



P K (k)log(l/P K {k)) 



E 

fe:T k (m- L )=c- L 

The following theorem is a generalization of the result ob- 
tained in [1] on the behaviour of key appearance equivocation 
for simple substitution ciphers as a function of cryptogram 
length. 
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Theorem 2.5: Under the above impossed assumptions, let 
K max is nonempty and R = max{ P r /r G /Cmax}- Then the 
following inequalities hold: 

iog(2)i? L < h(ic\m l c l ) < \o S {\ic\)\ic nm \R L 

Remark. The logarithms are taken for an arbitrary fixed base 
depending on the unit of entropy measurement. 

Proof: Starting from definition of conditional entropy, 
using the fact that the keys are equiprobable and applying 
Lemm j2T| we consecutively get: 

E E H(K\m L c L )P M , e ,(m L c L ) = 
m'eM'c'ec 1 

E E log{\St(xn L )\)P MLCL {m L c L ) = 

m'eM'c'EC 1 

E log(\St(m L )\) J2 Pm-c4™ L c L ) = 

m L eM L c L £C L 

E log(\St(m L )\)P ML (m L ), 

m L £M. L 

where St(m L ) = {T 7r /T 7r (m i ) = m L ,jr G JC} is the 
stabilizer of message m L . 

Clearly, if St(m L ) ^ {e}, where e is identity, we have: 
2 < \St(m L )\ < \JC\. Thus the following inequalities hold: 

log(2) E P Mt{™ L ) < H(IC\M L C L ) < 

m 1 :St(m i )#{e} 

log(\JC\) Y P M-(™ L ) (1) 

m L :St(m L )^{e} 

The fact that the message source is memoryless implies for 
any SI C A4 and (m,\m,i . . . mj,) = m L G VL L 

L 

in m L l — l 

mGfi 

Let R = P„. Since T^ G St{m L ) for any m L G [P(vr)] L 
then [F(tt)] l C {m L G 7W L /5i(m L ) ^ {e}}. Therefore the 
following inequality holds: 

rL = ( E E ^( mi )< 

E ^(m L ) (2) 

m L :St{m L )^{e} 

On the other hand, if for some m , St(m L ) ^ {e} holds, 
then there exists a maximal key t such that m L G [i 7, (r)] i . 
Therefore we have: 

E P M -(™ L )< 

m L :St(m L )^{e} 



E E ^( mL ) = 

r€K m „ m'£[F(T)]' 
E (^r) L < |/C max |P L (3) 

From (2) and (3) substituting in (1), we finally obtain: 

log(2)i? L < H(IC\M L C L ) < log(|/C|)|/C max |i? L 

which is the desired result. ■ 
Note that Theoren fXBl shows the asymptotic tight exponen- 
tial behaviour of H(IC\M. L C L ) with exponent base R equal 
to the maximum among sums of symbol probabilities of the 
fixed sets of maximal keys. 

III. Applications 

We shall consider four applications of Theoren fZ31 For the 
first two applications we assume without loss of generality 
thatP M {l)>P M {2)>...>P M {N). 

1. Let JC = Sm - the case of simple substitution cipher. 
Clearly, maximal keys are the transpositions. Therefore, Ri = 
EjlT PmU) = 1-Pm(N)- P m (N - 1), \JC\ = Nl and 
|A^max| = (^)- This result is obtained in [1]. 

2. let JC — Am, where Am is the alternating group acting 
on M. It can be easily seen that maximal keys are the 
substitutions which can be represented as a superposition of 
cycle of length 3 and disjoint to this cycle identity substitution. 
Clearly, these substitutions belong to A* M . Proceeding as in 
the previous case we get R 2 = J2 J= i p M (j) = ^-Pm (N) - 
Pm{N -1)-P M (N- 2), \JC\ = M/2 and |/C max | = Q. 

3. Let d be a positive integer. We will consider messages 
of length L = kd, k > 1. Since the message source is 
memoryless it is memoryless also over the cartesian product 
M. d considered as an alphabet. 

Let 7r G 5a, where A = {1,2, ...,d}. Define a 
mapping T n : M d — > M d as T 7r (niim 2 . . . irid) = 
m w ( 1 )m w (2) ■ • ■ m 7r(d)- Since ir is a substitution, it follows that 
Tjr is a substitution of M d . The set {T k /tt G 5a} with 
superposition operation is a group isomorphic to 5a and it 
is a subgroup of S M d. 

Furthermore it is well known that any it G 5 a can be 
represented as a superposition of disjoint cycles in a unique 
way to the order of multipliers. A partition of A corresponds 
to this representation and it is not dificult to see that the fixed 
set P(T T ) consists of exactly those m d G M d whose letters in 
numbered places belonging to the same subset of the partition 
of A, coincide. Therefore, if we take p G different from ir 
such that the partition of A detrmined by p is "more detailed", 
then the inclusion C F(T p ) holds. The latter shows 

that those T T are maximal for which ir is represented as a 
superposition of one cycle of length 2 and disjoint to this 
cycle identity substitution, i.e. ir is a transposition. 

Taking into account the above considerations it can be easily 
computed the rate i?3 = YljLi p m{j)> me order of subgroup 
\JC\ = d\ and the number of the maximal keys |/C max | = (2) 



for this case. Finally, we note that inequalities of Theorerr |2~5l 
now become: 

log(2)i? 3 fc < H(JC\M kd C kd ) < log(d!)Qi? 3 fc 

4. Let now, the alphabet M be a finite field with \M \ — N, 
where N is a power of prime number. Let K, be the group of 
affine transformations 

g : y = ax + b: a, b G M, a ^ 

Obviously, each affine transformation y = ax + b,a ^ 1 
possesses just one fixed point Xf = b/(l — a) and when 
b runs through M. the same does Xf. Moreover translations 
y = x + b, 6^0 do not possess any fixed points. Thus, we 
have i? 4 = max{P M (n)/n G M}, |/C| = AT(iV - 1) and 
|/C max | = 7V(7V - 2). 

IV. Conclusions 

Despite that during the past three decades mainly compu- 
tational aspects of cryptology have been developped, there is 
still place for information-theoretic investigations. An example 
in this direction is the theorem from the present paper which 
justifies mathematically the intuitive understanding that the 
recovery of the key in known-plaintext attack on substitution 
ciphers is more difficult when this key possesses many fixed 
points. 
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